Solved

Risk Analysis

Posted on 2002-03-31
8
631 Views
Last Modified: 2008-03-10

 What is a generic risk tool for business ? And how can some one design it for a business ? and is there any formula , equation or way of solving it ?
0
Comment
Question by:saeeddxb
8 Comments
 
LVL 3

Assisted Solution

by:FlamingSword
FlamingSword earned 50 total points
ID: 6914843
> What is a generic risk tool for business ?

Lies between your ears

> And how can some one design it for a business ?

You get to remember --- and, to take it with you (even upon corporate bankruptcy)

> and is there any formula , equation or way of solving it ?

Solving what? Risk? Risky business?

You probably want something like modeling, or focus on special ops like:

ROI
TCO
QOS
SLA

Unless you want the old stuff, or the definitions from Detroit)

Companies hire lawyers.

To make safety device, what is cost?
To lose lawsuits, what is cost?

Math is normally simple add/subtract oversimplification. And risk, all too often, is small bullet on business agenda getting little attention if any (businessmen 'assume' they will get another job before the sh@t hits the fan concerning behavior on their current one)

But my hats off to you, for trying, risk analysis is a very very important piece of work for any business with long term objectives.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6914845
Also: think of Murphy's law:

If it can go wrong: it will,
And it is likely to fail when you can least afford it

Thus: Contingency Planning
(see also: backup)
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6916715
First write up some Requirements

Then, the most generic handler I've found is called brain-storming. Collect a handful of reasonably knowledgeable people, an expert is ok, then just make up stuff, even silly (get loose, sillier is better) and have one member nominated to write it up on board for all to see. Nominate person a neat title, like "facilitator", keep 'em happy (to write, cheer, cajole, entice). After an hour or so, with board full of 'what could go wrong', take quick break, come back and have people talk about what was written up, circle the more reasonable ones, and make some sense of it that can be placed into list of probabilities, priorities, and type of risk. Use low/high for simplicity.

Equations are more applicable to repetitions for prior work.

One method I don't like, is dumping off quality control to consumer market. This includes MTBF for HW such as disk drives, which really sounds like a match for formula, but in practice is termed inefficient for business purposes (marketing, time to market).
0
 
LVL 24

Accepted Solution

by:
SunBow earned 50 total points
ID: 6916719
Where formula are used, it becomes developing a method for reducing costs to two items:

Cost if event occurs (risk)
Cost to avoid the event

Then compare
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946343
NETWORK WORLD NEWSLETTER: M. E. KABAY on
SECURITY
04/03/02
Today's focus: Web-enabled risk analysis

By M.E. Kabay

My good friend and colleague Robert Jacobson recently released his time-tested Cost-of-Risk Analysis tool in a Web-based format. CORA-Web prioritizes the risk exposures of a facility and identifies the most cost-effective mitigation strategy to make best use of available resources.

In the process, it builds a solid business case for risk management recommendations. CORA-Web fully supports the Business Impact Analysis process defined in the draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems":
http://csrc.nist.gov/publications/drafts/ITcontingency-planning-guideline.pdf

A recent Deloitte & Touche study of e-businesses disclosed that no respondents were using risk analysis tools to guide risk management decisions: http://www.isaca.org/ecomm.htm

"This is easy to understand," said William Murray, senior
researcher on the study, "because until recently there have
been no efficient, realistic tools. On the other hand, these
are decisions where the use of intuition can result in very
expensive error. An efficient tool can easily cover its own
cost."

"I have found CORA and its predecessor IST products to be
powerful analytical tools for understanding security issues and
managing risks," said Lynn McNulty, head of security
consultants McNulty and Associates and former associate
director for computer security at the National Institute of
Standards and Technology.

While serving as director of information systems security for
the Federal Aviation Administration, McNulty used these tools
to analyze an air route traffic control center.  "This was the
first quantitative risk analysis of an ARTCC," he said. "CORA
makes it easy for an enterprise to quantify and manage all of
its risks, and CORA-Web will make it easy for a team to
collaborate on a project."

According to Jacobson, open-ended questionnaires have
limitations that are overcome by CORA-Web's quantitative model
of risk, which focuses attention on the specific details of the
risk environment needed to make prudent management decisions.
Each user defines exactly which risk factors to include in a
risk analysis, and employs the results to evaluate the
cost/performance of a full range of risk mitigation, risk
transfer, and risk recovery measures.

The application service provider Dynamic Access Systems is
hosting CORA-Web. CEO Alan Duncan said, "As an ASP, we put
great emphasis on risk management to ensure that we achieve the
service levels that our clients expect of us. CORA makes it
easy to analyze our risks, particularly threats that can cause
service interruptions, and to choose the optimum risk
mitigation strategies. The CORA analysis of the DynAccSys ASP
systems has made a very strong contribution to our marketing
and sales promotion."

For more information about CORA and CORA-Web, see Jacobson's
Web site at: http://www.ist-usa.com/

* * *

Disclaimer:  I have no financial interest whatever in CORA or
in International Security Technology, Inc. Because I have not
yet evaluated the software, this column should not be construed
as an endorsement.

_______________________________________________________________
To contact M. E. Kabay:

M. E. Kabay, PhD, CISSP is Associate Professor in the
Department of Computer Information Systems at Norwich
University in Northfield, Vt. Mich can be reached by e-mail at
mailto:mkabay@compuserve.com  He invites inquiries about his
information security and operations management courses and
consulting services. For papers and course materials on
information technology, security and management, visit his Web
site at http://www2.norwich.edu/mkabay/index.htm
_________________________________________________________
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946347
http://www.ist-usa.com/aboutcoraweb.htm :

The CORA-Webä "Sixty-Day Solution"

What do you need to do?

Go beyond a simplistic Business Impact Analysis to a full quantitative evaluation of measures to reduce e-business service interruptions, and generate an ROI analysis of each possible strategy.
Build a solid business case for a specific business continuity measure, e.g. remote data copy, on-site diesel generator set, redundant electric service, etc.
Make a credible budget line item for risk losses!
Quantify risk exposures and generate a Frequency-Consequence Plot automatically.
Evaluate the ROI of insurance policies.
Determine the optimum business recovery strategy and Recovery Time Objective (RTO).  
Select from several alternative security solutions.
Identify risk exposures that can safely be ignored.
Help is at hand.  CORA-Webä is a powerful risk management decision support system that can resolve risk management requirements like these examples.
0
 
LVL 5

Expert Comment

by:sysandprog
ID: 7652871
Risk analysis for any business involves freezing some parameters, ignoring others, and not even knowing about the most important ones, which probably do not exist at the time the analysis is done.

I had some experience with exponential smoothing and realized it was being pushed in a market forecasting area where it did not fit, because actual quantities were far below those assumed in the development of exponential smoothing theory.  An "old timer" could do better with his traditional "seat of the pants" method.

In another instance I was asked to review equations developed by the operations research staff.  Several pages into the analysis I found significant mathematical errors.

At a seminar where that operations research team went up against the marketing manager, it was brought out that he, consistently, did as well, again with "seat of the pants" methods, as the highly trained operations research people  did with their fancy mathematics.

"Experience is the best teacher".


0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9709128
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts Split between SunBow and FlamingSword.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now